package aip.core.mvc.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;

public class DisableUrlSessionFilter implements Filter
{

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException
    {
        // First, let's exit quickly if for some reason the current request is
        // non-HTTP, and cast the request and response objects to their
        // HTTP-specific equivalents
        // skip non-http requests
        if (!(request instanceof HttpServletRequest))
        {
            chain.doFilter(request, response);
            return;
        }

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;

        // Next, let's invalidate any sessions that are backed by a URL-encoded
        // session id. This prevents an attacker from generating a valid link.
        // Just because we won't be generating session-encoded links doesn't
        // mean someone else won't try
        // clear session if session id in URL
        if (httpRequest.isRequestedSessionIdFromURL())
        {
            HttpSession session = httpRequest.getSession();
            if (session != null) session.invalidate();
        }
        // wrap response to remove URL encoding
        HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(
                httpResponse)
        {
            @Override
            public String encodeRedirectUrl(String url)
            {
                return url;
            }

            @Override
            public String encodeRedirectURL(String url)
            {
                return url;
            }

            @Override
            public String encodeUrl(String url)
            {
                return url;
            }

            @Override
            public String encodeURL(String url)
            {
                return url;
            }
        };

        // process next request in chain
        chain.doFilter(request, wrappedResponse);
    }

    /**
     * Unused.
     */
    public void init(FilterConfig config) throws ServletException
    {
    }

    /**
     * Unused.
     */
    public void destroy()
    {
    }

}
